RHEL 6 : Virtualization Manager (RHSA-2012:1537)

Medium Nessus Plugin ID 78942

Synopsis

The remote Red Hat host is missing a security update.

Description

An updated jasperreports-server-pro package that fixes one security issue and various bugs is now available.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

JasperReports Server is a reporting server.

A flaw was found in the way the Apache Xerces2 Java Parser processed the SYSTEM identifier in DTDs. A remote attacker could provide a specially crafted XML file, which once parsed by an application using the Apache Xerces2 Java Parser, would lead to a denial of service (application hang due to excessive CPU use). (CVE-2009-2625)

This update also fixes the following bugs :

* Adding a user to any ROLE caused an unexpected exception.
(BZ#730712)

* Previously, the jasperreports-server-pro RPM spec file contained the '%{dist}' tag on the 'Release' line. To comply with the packaging and naming guidelines, the tag has been changed to '%{?dist}' with this update. (BZ#868927)

* In some cases reports were opened with an incorrect list of Entity/Entities. (BZ#842687)

Note: The jasperreports-server-pro package replaces rhevm-reports-server from Red Hat Enterprise Virtualization Manager 3.0.

Users are advised to upgrade to this updated package, which corrects these issues.

Solution

Update the affected jasperreports-server-pro package.

See Also

https://access.redhat.com/errata/RHSA-2012:1537

https://access.redhat.com/security/cve/cve-2009-2625

Plugin Details

Severity: Medium

ID: 78942

File Name: redhat-RHSA-2012-1537.nasl

Version: 1.6

Type: local

Agent: unix

Published: 2014/11/08

Updated: 2018/11/10

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:jasperreports-server-pro, cpe:/o:redhat:enterprise_linux:6

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2012/12/04

Reference Information

CVE: CVE-2009-2625

BID: 35958

RHSA: 2012:1537

CWE: 264